What a Cybersecurity Course Taught Me About the Reality of Digital Risk

By Sebastián Peralta

I’m diving deeper into cybersecurity through the course “Managing Risk in the Information Age,” and if there’s one thing I’ve learned after each module, it’s this: cybersecurity isn’t just another component of IT—it’s its backbone.

The mission is clear: protect the organization’s information, systems, and operational continuity. To do this, we must identify risks in advance and apply effective measures that go beyond surface-level fixes. Risks exist because threats are always present, and it’s our responsibility to reduce the attack surface as much as possible.

What Would a Hacker Do?

If we had the chance to ask an attacker how to avoid being hacked, their answer would be simple and direct: practice good cybersecurity hygiene.

It’s not just about having antivirus software or firewalls—what matters is that they’re correctly configured, regularly updated, and actively monitored. A poorly configured firewall or an unaware user can be all it takes to compromise an entire system. That’s exactly where attackers find their opportunity.

Phishing: The Persistent Threat

One of the most emphasized takeaways from the course is that phishing remains the most common attack vector. No matter how many layers of technology we implement, if users aren’t trained to recognize suspicious emails, the risk persists.

That’s why user training is just as important as strengthening infrastructure. User awareness is a critical—and often underestimated—line of defense.

Before, During, and After the BOOM

In cybersecurity, it’s no longer a question of if a breach will happen, but when. This event is conceptualized as the BOOM.
Before the BOOM, we must monitor and detect.
During the BOOM, confirm the intrusion.
But it’s after the BOOM where our true level of preparedness is revealed: how do we respond to a real incident?

We need qualified analysts, the right tools, and well-defined procedures. Ethical hackers play a fundamental role—they possess the same skills as attackers but have a different mission: to protect. They understand the adversary’s mindset, making them invaluable assets.

Risk Management as a Guiding Principle

All of this comes down to a central point: risk management must be embedded in every IT decision. Whether it’s a new application, a server change, or a minor update, it must be evaluated through a risk lens.

This means setting clear standards, conducting ongoing audits, and allowing exceptions only with formal justification and full visibility.

Because attackers only need one mistake to get in—while we need to be flawless every day.
Cybersecurity starts with the basics, but it’s sustained through vision, strategy, and continuous commitment.